Security Stack Sheet #103

 

Word of the Week

“Perfectly Privacy-preserving AI”

How to extract your training data & your model from your ML endpoint?

Over the past few years, providers such as Google, Microsoft, and Amazon have started to provide customers with access to software interfaces allowing them to easily embed machine learning tasks into their applications. Overall, organizations can now use Machine Learning as a Service (MLaaS) engines to outsource complex tasks, e.g., training classifiers, performing predictions, clustering, etc. They can also let others query models trained on their data. Naturally, this approach can also be used (and is often advocated) in other contexts, including government collaborations, citizen science projects, and business-to-business partnerships. However, if malicious users were able to recover data used to train these models, the resulting information leakage would create serious issues. Likewise, if the inner parameters of the model are considered proprietary information, then access to the model should not allow an adversary to learn such parameters. In this document, we set to review privacy challenges in this space, providing a systematic review of the relevant research literature, also exploring possible countermeasures. More specifically, we provide ample background information on relevant concepts around machine learning and privacy. Then, we discuss possible adversarial models and settings, cover a wide range of attacks that relate to private and/or sensitive information leakage, and review recent results attempting to defend against such attacks. Finally, we conclude with a list of open problems that require more work, including the need for better evaluations, more targeted defences, and the study of the relation to policy and data protection efforts.

Image for post

Especially as of recent, privacy is a big topic. As more of our lives are entrusted to algorithms it’s important that we ensure they are both secure (against causative attacks like evasion or poisoning) and preserve privacy. Hopefully this post has given you a flavour of what the problem is — and what the potential solutions to it might look like.

A circuit board  Description automatically generated

Stay safe & secure everyone

Links HERE and HERE and HERE and papers HERE and HERE and HERE and guide HERE and year in review HERE and podcasts HERE and an older article from Apple HERE

 

Word of the Week Special

“When WAFs Go Wrong”

Web application firewalls are increasingly disappointing enterprises today.

A new survey out last week indicates that a significant number of web application attacks bypass the WAF, organizations struggle to tune them, and they’re not well-integrated into broader security functions. This only serves to bolster warnings made by analysts and other studies over the past 18 months that WAF protection mechanisms need to evolve and can’t be the only mainstay for an AppSec program

Link HERE and Unmasking WAFs and finding the source HERE

AND

“Punishing users for cyber security mishaps increases anxiety and reduces productivity”

In a survey of UK businesses CybSafe found that cyber security mishaps, such as falling for simulated phishing scams, are regularly punished through actions such as naming and shaming, decreasing access privileges, locking computers until training is completed and informing an individual’s line manager

Link HERE

 

Bonus

A screenshot of a cell phone  Description automatically generated

Thanks to Naz

Idea of the Day: Building trust

A screenshot of a cell phone  Description automatically generated

Link HERE

A picture containing bird  Description automatically generated

Thanks to Mithun

Link HERE

A screenshot of a cell phone  Description automatically generated

Link HERE

A screenshot of a cell phone  Description automatically generated

Link HERE

 

Crypto challenge of the week

Decode me!

D: mb xwhvxw mlnX 4X6AhPLAR4eupSRJ6FLt8AgE6JsLdBRxq57L8IeMyBRHp6IGsmgFIB5E :ztey

Link HERE

 

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?

UK Government chose not to investigate if Russian hackers interfered in Brexit referendum, report reveals

Link HERE

  • 1st of July 20201 – Freedom from viruses?

Covid-19, Authoritarianism and Democracy

A picture containing person, holding, person, person  Description automatically generated

Link HERE

  • November 3rd 2020: Trump’s second term start

Trump says he will ban popular Chinese video app TikTok in the US and Microsoft bid for TikTok on hold amid Trump ban fears

& Trump Targets WeChat and TikTok, in Sharp Escalation With China

9k=

AND

A picture containing text, book  Description automatically generated

AND result

Links HERE and HERE and HERE and HERE and HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Great news in September and October will carry Trump to victory

Link HERE

  • Flash End-of-Life is December 31, 2020
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

 

Book of the month

More on writing by Richard Stiennon

Link HERE

 

Comic of the week

  Boss Doesn't Understand - Dilbert by Scott Adams

 

##Some OWASP stuff first











Leave a Reply

Your email address will not be published. Required fields are marked *